The U.S. Department of Health and Human Services (HHS) defines insider threats as risks posed by individuals within your organization who have access to sensitive data, such as employees, contractors, or vendors. These threats can be intentional (e.g., malicious actions) or unintentional (e.g., accidental data leaks).
Go deeper: Insider threats in healthcare
According to a 2021 report, 61% of data breaches in healthcare involve insiders, often due to negligence or malicious intent. These threats not only jeopardize patient privacy but also pose serious risks to organizational integrity and financial stability.
Insiders may exploit access to financial systems or sensitive data for personal gain, leading to financial losses through fraud. Malicious insiders can also disrupt systems, such as electronic health records (EHRs) or medical devices, as seen when a hospital employee created a backdoor in an HVAC system, risking patient safety.
Negligent insiders, often due to a lack of awareness, are the most common source of threats, such as leaving unencrypted devices unattended. Third-party risks further complicate the issue, with 94% of organizations granting vendors system access and 72% providing elevated permissions, increasing vulnerabilities. Detection is also difficult, as insider threats are harder to identify than external attacks, especially with the shift to cloud services, which has made detection 53% harder. Additionally, disgruntled employees or those with financial incentives may intentionally harm the organization, like the pharmaceutical employee who stole 12,000 confidential files before joining a competitor.
Related: How cyberattacks can disrupt healthcare services
The Cybersecurity and Infrastructure Security Agency (CISA) outlines a structured, four-step approach to mitigating insider threats:
The first step is to establish a clear understanding of what constitutes an insider threat within the organization. This involves defining who qualifies as an "insider," such as employees, contractors, or vendors, and identifying the types of harm they could cause, including data theft, sabotage, or fraud. Organizations must develop policies and guidelines to address insider threats, ensuring alignment with their overall security practices and goals.
The next step is to recognize potential insider threats by observing concerning behaviors or activities. This requires a combination of human observation and technological tools. Employees and managers should be trained to recognize behavioral indicators, such as sudden changes in behavior, unauthorized access attempts, or conflicts with coworkers. Monitoring systems, such as access logs and data transfer tracking, can also help identify suspicious activities that may signal malicious intent or negligence.
Once a potential insider threat is identified, the organization must evaluate the risk posed by the individual. This involves conducting a threat assessment based on observed behaviors and available evidence. The goal is to determine whether the individual has the motive, opportunity, and capability to cause harm. Collaboration with cross-functional teams, such as HR, legal, and IT, is required to gather insights and make informed decisions.
The final step is to proactively address and mitigate risks to prevent harmful outcomes. This includes implementing measures to monitor and manage individuals identified as potential threats. Organizations should develop response plans to address incidents, such as revoking access, conducting investigations, or involving law enforcement if necessary. Continuous evaluation and refinement of the insider threat program are also needed to adapt to new risks and challenges.
Learn more: Mitigating the threat of insider data breaches in healthcare organizations
An insider threat program is a formal plan to detect, prevent, and respond to insider threats.
Start by investigating the activity to determine the extent of the risk. Follow your incident response plan to contain and mitigate the threat, ensuring that sensitive data is protected and further damage is minimized. If patient data is compromised, notify affected patients and report the incident to the HHS if required.
Unusual access to sensitive data outside of job responsibilities, such as an employee accessing files they don’t need for their role. Attempts to bypass security protocols or access restricted systems, unexplained changes to files or systems, and reports from colleagues about suspicious behavior.